Health agencies1 are required to comply with the National Privacy Principles (NPPs), and all other agencies2 with the Information Privacy Principles (IPPs), in the Information Privacy Act 2009 (Qld) (IP Act).
In this guide, health agencies and other agencies are collectively referred to as agencies, unless their obligations differ. Where they have different obligations under their respective privacy principles they are referred to as health agencies and non-health agencies.
Under IPP 10 and NPP 2 an agency can only use personal information3 for the reason it was collected unless one of the exceptions applies. Under IPP 11 and NPP 2, an agency cannot disclose personal information outside the agency unless one of the exceptions applies.
The exceptions include that the use or disclosure is authorised or required by law as set out in IPP 10(1)(c) and 11(1)(d), and NPP 2(1)(f).
It is important to note that the privacy principles do not authorise the disclosure of personal information. Rather, they mean that an agency legitimately disclosing personal information under IPP 11(1) or NPP 2(1) does not breach those privacy principles and can rely on them as a defence to a privacy complaint.
In addition, the privacy principles do not override provisions of other Acts that prohibit the disclosure of personal information, for example confidentiality provisions like those contained in the Hospital and Health Boards Act 2012 or the Child Protection Act 1999.
(1) An agency having control of a document containing personal information that was obtained for a particular purpose must not use the information for another purpose unless—
(c) use of the information for the other purpose is authorised or required under a law.
(1) An agency having control of a document containing an individual's personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information unless—
(d) the disclosure is authorised or required under a law.
(1) A health agency must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless—
(f) the use or disclosure is authorised or required by or under law
As a general rule, law means Queensland statutory instruments. It will also mean Commonwealth legislation, or a law of another state or territory, where the legislation applies in Queensland.
Natural justice is an exception to this rule. The obligation to accord natural justice is one of the fundamental underpinnings of government decision making and the failure to accord it is one of the grounds on which a decision may be overturned on judicial review.
If it is necessary to use or disclose personal information in order to fully accord natural justice, then that use or disclosure will be authorised under these exceptions.
For detailed information refer to Natural justice, disclosure, and privacy.
Use or disclosure of the information will be required under law where:
Use or disclosure of the personal information will be authorised under law where the use or disclosure is permitted but not required.
Generally, the use or disclosure of personal information must be done under an express authority, such as a section, part or chapter of an Act. There are, however, some circumstances in which the lawful authority may be implied rather than express.
Where it is impossible to perform a function or activity required or authorised by an Act without using or disclosing personal information, the use or disclosure will be impliedly authorised by law.
For example, where an agency has a legal obligation to report the full details of a benefit scheme it administers to an oversight body, there is an implied legal authority to disclose personal information of individuals who have received the benefit, as it is impossible to report as legally required without doing so.
Care must be taken when relying on these exceptions to only use or disclose as much personal information as is necessary to meet the obligation or authorisation. Personal information used or disclosed in excess of this will not be authorised.
Current as at: September 20, 2019